In May, Microsoft released a patch for CVE-2019-0708, the dangerous vulnerability in Remote Desktop Services known as BlueKeep. The worm that some researchers feared might appear to exploit the bug on a mass scale hasn’t materialized, but in the last few days someone has begun running an exploit against unpatched systems to install a cryptominer and Microsoft is warning customers that more serious exploitation may be on the way.
The exploit attempts began showing up in security researcher Kevin Beaumont’s honeypots last week, crashing the systems he had set up specifically to monitor for BlueKeep attacks. The exploit turned out to be a module for the Metasploit framework, but it was a little shaky and so was causing the honeypots to crash and reboot. The end goal of the exploit attempts was to install a cryptominer and Beaumont got in touch with both Microsoft and Marcus Hutchins, a researcher at KryptosLogic, who began investigating the attacks. Microsoft’s team discovered some connections between the BlueKeep exploits and a campaign from September.
“After extracting indicators of compromise and pivoting to various related signal intelligence, Microsoft security researchers found that an earlier coin mining campaign in September used a main implant that contacted the same command-and-control infrastructure used during the October BlueKeep Metasploit campaign, which, in cases where the exploit did not cause the system to crash, was also observed installing a coin miner,” Microsoft’s analysis says.
“If somebody makes a reliable worm for this vulnerability — which to be clear has not happened here- expect global consequences."
“This indicated that the same attackers were likely responsible for both coin mining campaigns—they have been actively staging coin miner attacks and eventually incorporated the BlueKeep exploit into their arsenal.”
After the initial analysis, the server running the coinmining operation was taken offline, but Beaumont found that the attackers have set up a new one that’s still operating. The cryptomining attacks are more of a nuisance than anything else, but they have clearly demonstrated the ability of attackers to exploit the BlueKeep vulnerability, and there are still hundreds of thousands of unpatched systems exposed to the Internet. Although the current BlueKeep exploit is somewhat unstable, Microsoft’s analysts warn that there’s a good possibility it will be improved and used to deliver more dangerous payloads.
“Security signals and forensic analysis show that the BlueKeep Metasploit module caused crashes in some cases, but we cannot discount enhancements that will likely result in more effective attacks. In addition, while there have been no other verified attacks involving ransomware or other types of malware as of this writing, the BlueKeep exploit will likely be used to deliver payloads more impactful and damaging than coin miners,” Microsoft said.
“The new exploit attacks show that BlueKeep will be a threat as long as systems remain unpatched, credential hygiene is not achieved, and overall security posture is not kept in check. Customers are encouraged to identify and update vulnerable systems immediately. Many of these unpatched devices could be unmonitored RDP appliances placed by suppliers and other third-parties to occasionally manage customer systems. Because BlueKeep can be exploited without leaving obvious traces, customers should also thoroughly inspect systems that might already be infected or compromised.”
The BlueKeep vulnerability is a remote code execution flaw in RDS that requires no authentication in order to exploit. An attacker who is able to exploit the flaw would essentially have full control over a compromised machine. Microsoft released a patch for BlueKeep on May 14 and specifically warned customers to install it as soon as possible, as the flaw was ripe for exploitation by a worm. That hasn’t happened yet, but Beaumont doesn’t discount the possibility of one appearing at some point.
“If somebody makes a reliable worm for this vulnerability — which to be clear has not happened here- expect global consequences as it will then spread inside internal networks,” Beaumont wrote in his analysis of the attacks.